Find Out if your Unix Server is Compromised

If you're running your own server, here are some things to keep track of regularly. Any unusual activity might indicate that your server has been compromised.

Logs

You should monitor your logs both with an automated product, and manually, on occasion. This will give you early warning that something may be wrong.

File Changes

You can use file hashes for applications and system files, to see whether files have been changed at all. You can also use backups to compare files to a previous state. If using a backup to compare files, use a slightly older one if you can, as the server may have been compromised earlier than you think.

Includes

The warning signs of an intruder may not be files. They may be script includes such as <script src="http://baddomain.com/s.js" /> or iframe type tags. Also examine images, PDFs and Flash (SWF) or video files. It is a fairly common trick to embed links in files of a different content type.

Unusual file dates, sizes and permissions

If permissions have been set to 777 (execute, read, and write permissions for user, group and whole world), that may be a sign of a break-in. Similarly suspicious is if files seem to have changed at strange times (not a time of day when you are usually making changes), or changed in size.

Check cron jobs for unusual jobs

Someone compromising a system will often leave a back door to get back in again and again. Cron is a very popular way to do this if they managed to get that far.

Missing files

The absence of files may be a sign that someone has cleaned up after themselves.

Updated or queried database records

Check database records that may be queried or updated. Malicious code or data could be injected in the database, not the PHP.

Search engines

If you have a specific bad actor in mind, use a search engine to look for clues. Use directives like site: e.g. site:yoursitehere.com baddomain.com see if you get any hits.

What to do if compromised:

If you think your server's been compromised, it qualifies as a security incident, and the University should be notified. Follow the steps outlined here: Reporting a Security Incident.

Compromised System Policy

Any computer or device on the School of Medicine network that is posing a threat to other computers or network resources may have its network access disabled until the problem is addressed.

Threats include: signs of malware infection, system compromise, attempts to exploit vulnerabilities on other systems, excessive use of network bandwidth, or other malicious network activity. Compromised systems will generally need to be rebuilt with a new installation of the operating system and updated security patches before their network access can be re-enabled.